f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

Analysis

max time kernel
190s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Size

221KB
MD5

3ff6a11262b3f308706c41455ac8361a
SHA1

fcd062c08341b562022412c0a8662636ddd22f16
SHA256

f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29
SHA512

e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b
SSDEEP

6144:a7OHpHzFMmJkMh98gWNlPTGQQm6agrdeNRkNIRR1:a7GzuhpNtTirdPuf

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
5088	Vanguard.exe
3528	Vanguard.exe
964	Vanguard.exe
2016	Vanguard.exe
2752	Vanguard.exe
1132	Vanguard.exe
4136	Vanguard.exe
212	Vanguard.exe
2376	Vanguard.exe
1460	Vanguard.exe
4068	Vanguard.exe
816	Vanguard.exe
1224	Vanguard.exe
1284	Vanguard.exe
4048	Vanguard.exe
836	Vanguard.exe
3108	Vanguard.exe
3656	Vanguard.exe
2668	Vanguard.exe
2776	Vanguard.exe
2732	Vanguard.exe
2804	Vanguard.exe
2408	Vanguard.exe
996	Vanguard.exe
1948	Vanguard.exe
1448	Vanguard.exe
860	Vanguard.exe
4860	Vanguard.exe
3420	Vanguard.exe
3676	Vanguard.exe
4124	Vanguard.exe
1512	Vanguard.exe
4952	Vanguard.exe
2176	Vanguard.exe
2276	Vanguard.exe
1308	Vanguard.exe
216	Vanguard.exe
2316	Vanguard.exe
3648	Vanguard.exe
1460	Vanguard.exe
4068	Vanguard.exe
1792	Vanguard.exe
364	Vanguard.exe
2132	Vanguard.exe
3516	Vanguard.exe
2236	Vanguard.exe
3144	Vanguard.exe
1452	Vanguard.exe
2548	Vanguard.exe
4220	Vanguard.exe
1272	Vanguard.exe
1440	Vanguard.exe
4844	Vanguard.exe
3944	Vanguard.exe
3936	Vanguard.exe
1380	Vanguard.exe
5072	Vanguard.exe
4972	Vanguard.exe
2952	Vanguard.exe
4612	Vanguard.exe
2252	Vanguard.exe
1548	Vanguard.exe
3648	Vanguard.exe
3788	Vanguard.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}\StubPath = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VEQIC-4AB6I-2GCZ2-4YL8L-VYKN4}	Vanguard.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vanguard = "C:\\Windows\\system32\\Vanguard.exe"	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Vanguard.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File opened for modification	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe
File created	C:\Windows\SysWOW64\Vanguard.exe	Vanguard.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vanguard.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Token: SeDebugPrivilege	3452	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Token: SeDebugPrivilege	1512	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Token: SeDebugPrivilege	1512	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
Token: SeDebugPrivilege	5088	Vanguard.exe
Token: SeDebugPrivilege	5088	Vanguard.exe
Token: SeDebugPrivilege	3528	Vanguard.exe
Token: SeDebugPrivilege	3528	Vanguard.exe
Token: SeDebugPrivilege	964	Vanguard.exe
Token: SeDebugPrivilege	964	Vanguard.exe
Token: SeDebugPrivilege	2016	Vanguard.exe
Token: SeDebugPrivilege	2016	Vanguard.exe
Token: SeDebugPrivilege	2752	Vanguard.exe
Token: SeDebugPrivilege	2752	Vanguard.exe
Token: SeDebugPrivilege	1132	Vanguard.exe
Token: SeDebugPrivilege	1132	Vanguard.exe
Token: SeDebugPrivilege	4136	Vanguard.exe
Token: SeDebugPrivilege	4136	Vanguard.exe
Token: SeDebugPrivilege	212	Vanguard.exe
Token: SeDebugPrivilege	212	Vanguard.exe
Token: SeDebugPrivilege	2376	Vanguard.exe
Token: SeDebugPrivilege	2376	Vanguard.exe
Token: SeDebugPrivilege	1460	Vanguard.exe
Token: SeDebugPrivilege	1460	Vanguard.exe
Token: SeDebugPrivilege	4068	Vanguard.exe
Token: SeDebugPrivilege	4068	Vanguard.exe
Token: SeDebugPrivilege	816	Vanguard.exe
Token: SeDebugPrivilege	816	Vanguard.exe
Token: SeDebugPrivilege	1224	Vanguard.exe
Token: SeDebugPrivilege	1224	Vanguard.exe
Token: SeDebugPrivilege	1284	Vanguard.exe
Token: SeDebugPrivilege	1284	Vanguard.exe
Token: SeDebugPrivilege	4048	Vanguard.exe
Token: SeDebugPrivilege	4048	Vanguard.exe
Token: SeDebugPrivilege	836	Vanguard.exe
Token: SeDebugPrivilege	836	Vanguard.exe
Token: SeDebugPrivilege	3108	Vanguard.exe
Token: SeDebugPrivilege	3108	Vanguard.exe
Token: SeDebugPrivilege	3656	Vanguard.exe
Token: SeDebugPrivilege	3656	Vanguard.exe
Token: SeDebugPrivilege	2668	Vanguard.exe
Token: SeDebugPrivilege	2668	Vanguard.exe
Token: SeDebugPrivilege	2776	Vanguard.exe
Token: SeDebugPrivilege	2776	Vanguard.exe
Token: SeDebugPrivilege	2732	Vanguard.exe
Token: SeDebugPrivilege	2732	Vanguard.exe
Token: SeDebugPrivilege	2804	Vanguard.exe
Token: SeDebugPrivilege	2804	Vanguard.exe
Token: SeDebugPrivilege	2408	Vanguard.exe
Token: SeDebugPrivilege	2408	Vanguard.exe
Token: SeDebugPrivilege	996	Vanguard.exe
Token: SeDebugPrivilege	996	Vanguard.exe
Token: SeDebugPrivilege	1948	Vanguard.exe
Token: SeDebugPrivilege	1948	Vanguard.exe
Token: SeDebugPrivilege	1448	Vanguard.exe
Token: SeDebugPrivilege	1448	Vanguard.exe
Token: SeDebugPrivilege	860	Vanguard.exe
Token: SeDebugPrivilege	860	Vanguard.exe
Token: SeDebugPrivilege	4860	Vanguard.exe
Token: SeDebugPrivilege	4860	Vanguard.exe
Token: SeDebugPrivilege	3420	Vanguard.exe
Token: SeDebugPrivilege	3420	Vanguard.exe
Token: SeDebugPrivilege	3676	Vanguard.exe
Token: SeDebugPrivilege	3676	Vanguard.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1512	3452	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	79
PID 3452 wrote to memory of 1512	3452	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	79
PID 3452 wrote to memory of 1512	3452	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	79
PID 1512 wrote to memory of 5088	1512	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	80
PID 1512 wrote to memory of 5088	1512	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	80
PID 1512 wrote to memory of 5088	1512	f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe	80
PID 5088 wrote to memory of 3528	5088	Vanguard.exe	81
PID 5088 wrote to memory of 3528	5088	Vanguard.exe	81
PID 5088 wrote to memory of 3528	5088	Vanguard.exe	81
PID 3528 wrote to memory of 964	3528	Vanguard.exe	82
PID 3528 wrote to memory of 964	3528	Vanguard.exe	82
PID 3528 wrote to memory of 964	3528	Vanguard.exe	82
PID 964 wrote to memory of 2016	964	Vanguard.exe	83
PID 964 wrote to memory of 2016	964	Vanguard.exe	83
PID 964 wrote to memory of 2016	964	Vanguard.exe	83
PID 2016 wrote to memory of 2752	2016	Vanguard.exe	84
PID 2016 wrote to memory of 2752	2016	Vanguard.exe	84
PID 2016 wrote to memory of 2752	2016	Vanguard.exe	84
PID 2752 wrote to memory of 1132	2752	Vanguard.exe	85
PID 2752 wrote to memory of 1132	2752	Vanguard.exe	85
PID 2752 wrote to memory of 1132	2752	Vanguard.exe	85
PID 1132 wrote to memory of 4136	1132	Vanguard.exe	86
PID 1132 wrote to memory of 4136	1132	Vanguard.exe	86
PID 1132 wrote to memory of 4136	1132	Vanguard.exe	86
PID 4136 wrote to memory of 212	4136	Vanguard.exe	87
PID 4136 wrote to memory of 212	4136	Vanguard.exe	87
PID 4136 wrote to memory of 212	4136	Vanguard.exe	87
PID 212 wrote to memory of 2376	212	Vanguard.exe	88
PID 212 wrote to memory of 2376	212	Vanguard.exe	88
PID 212 wrote to memory of 2376	212	Vanguard.exe	88
PID 2376 wrote to memory of 1460	2376	Vanguard.exe	89
PID 2376 wrote to memory of 1460	2376	Vanguard.exe	89
PID 2376 wrote to memory of 1460	2376	Vanguard.exe	89
PID 1460 wrote to memory of 4068	1460	Vanguard.exe	90
PID 1460 wrote to memory of 4068	1460	Vanguard.exe	90
PID 1460 wrote to memory of 4068	1460	Vanguard.exe	90
PID 4068 wrote to memory of 816	4068	Vanguard.exe	91
PID 4068 wrote to memory of 816	4068	Vanguard.exe	91
PID 4068 wrote to memory of 816	4068	Vanguard.exe	91
PID 816 wrote to memory of 1224	816	Vanguard.exe	92
PID 816 wrote to memory of 1224	816	Vanguard.exe	92
PID 816 wrote to memory of 1224	816	Vanguard.exe	92
PID 1224 wrote to memory of 1284	1224	Vanguard.exe	93
PID 1224 wrote to memory of 1284	1224	Vanguard.exe	93
PID 1224 wrote to memory of 1284	1224	Vanguard.exe	93
PID 1284 wrote to memory of 4048	1284	Vanguard.exe	94
PID 1284 wrote to memory of 4048	1284	Vanguard.exe	94
PID 1284 wrote to memory of 4048	1284	Vanguard.exe	94
PID 4048 wrote to memory of 836	4048	Vanguard.exe	95
PID 4048 wrote to memory of 836	4048	Vanguard.exe	95
PID 4048 wrote to memory of 836	4048	Vanguard.exe	95
PID 836 wrote to memory of 3108	836	Vanguard.exe	96
PID 836 wrote to memory of 3108	836	Vanguard.exe	96
PID 836 wrote to memory of 3108	836	Vanguard.exe	96
PID 3108 wrote to memory of 3656	3108	Vanguard.exe	97
PID 3108 wrote to memory of 3656	3108	Vanguard.exe	97
PID 3108 wrote to memory of 3656	3108	Vanguard.exe	97
PID 3656 wrote to memory of 2668	3656	Vanguard.exe	98
PID 3656 wrote to memory of 2668	3656	Vanguard.exe	98
PID 3656 wrote to memory of 2668	3656	Vanguard.exe	98
PID 2668 wrote to memory of 2776	2668	Vanguard.exe	99
PID 2668 wrote to memory of 2776	2668	Vanguard.exe	99
PID 2668 wrote to memory of 2776	2668	Vanguard.exe	99
PID 2776 wrote to memory of 2732	2776	Vanguard.exe	100

C:\Users\Admin\AppData\Local\Temp\f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
"C:\Users\Admin\AppData\Local\Temp\f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe
  "C:\Users\Admin\AppData\Local\Temp\f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29.exe" /r
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Vanguard.exe
    "C:\Windows\system32\Vanguard.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\Vanguard.exe
      "C:\Windows\SysWOW64\Vanguard.exe" /r
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        10⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        12⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        14⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        16⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        18⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        24⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        26⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        28⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        33⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        34⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:1512
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        35⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        36⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        
        PID:1308
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        41⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3648
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        42⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        43⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        44⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        
        PID:1792
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        45⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        46⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        47⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        48⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        49⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        51⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        52⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        53⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        54⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        55⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        57⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3936
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        58⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        59⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5072
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        60⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        
        PID:4972
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        61⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        63⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2252
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        64⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        66⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        67⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        69⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        70⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        71⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        72⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        
        PID:2668
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        73⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        74⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        75⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        77⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        78⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        79⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        81⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        82⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        83⤵
        Checks computer location settings
        
        PID:5088
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        84⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        85⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        86⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        87⤵
        
        PID:972
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        88⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        89⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        90⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        91⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        92⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        93⤵
        Checks computer location settings
        
        PID:424
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        94⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3976
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        95⤵
        Checks computer location settings
        
        PID:960
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        96⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        97⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        98⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        99⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        100⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        101⤵
        Checks computer location settings
        
        PID:3608
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        103⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        104⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        105⤵
        
        PID:992
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        106⤵
        Modifies Installed Components in the registry
        
        PID:2580
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        107⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        108⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        109⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        110⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        111⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        112⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        113⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        115⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        116⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        117⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        118⤵
        Modifies Installed Components in the registry
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        119⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        121⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        122⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        123⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        125⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        126⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        127⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        128⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3976
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        129⤵
        Checks computer location settings
        
        PID:3212
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        130⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        131⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        132⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        133⤵
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        134⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        135⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        136⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        137⤵
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        138⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        139⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        140⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        
        PID:3100
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        141⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        142⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        143⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        144⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        145⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        146⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        147⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        148⤵
        Modifies Installed Components in the registry
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        149⤵
        Checks computer location settings
        
        PID:5088
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        150⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        151⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        152⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        153⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        154⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        155⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        156⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3012
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        157⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        158⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        159⤵
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        160⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        
        PID:3440
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        161⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        162⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\system32\Vanguard.exe"
        163⤵
        Checks computer location settings
        
        PID:708
        
        C:\Windows\SysWOW64\Vanguard.exe
        
        "C:\Windows\SysWOW64\Vanguard.exe" /r
        164⤵
        Adds Run key to start application
        
        PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
C:\Windows\SysWOW64\Vanguard.exe

Filesize
221KB

MD5
3ff6a11262b3f308706c41455ac8361a

SHA1
fcd062c08341b562022412c0a8662636ddd22f16

SHA256
f1d29e0e7c7d68b79f40c192fd24fe3bdd0d128b228420ab5e2e940f64b39a29

SHA512
e999503dc6e7a177155024a22fdd013b7f4e005f2a6b72ba11a69051315f207da220f693268a040053085aa6811ca3b133678c145014bdaa1b60c145143ac27b

Download Submit
memory/212-177-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/212-176-0x0000000001F20000-0x0000000001F63000-memory.dmp

Filesize
268KB

Download
memory/212-175-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/816-194-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/816-195-0x00000000020C0000-0x0000000002103000-memory.dmp

Filesize
268KB

Download
memory/816-198-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/816-199-0x00000000020C0000-0x0000000002103000-memory.dmp

Filesize
268KB

Download
memory/836-215-0x0000000002100000-0x0000000002143000-memory.dmp

Filesize
268KB

Download
memory/836-216-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/836-219-0x0000000002100000-0x0000000002143000-memory.dmp

Filesize
268KB

Download
memory/836-220-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/964-158-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/964-156-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/964-157-0x00000000023E0000-0x00000000023E9000-memory.dmp

Filesize
36KB

Download
memory/1132-168-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/1132-167-0x00000000004C0000-0x0000000000503000-memory.dmp

Filesize
268KB

Download
memory/1224-203-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/1224-204-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/1224-202-0x00000000006D0000-0x0000000000713000-memory.dmp

Filesize
268KB

Download
memory/1284-206-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/1284-205-0x00000000020E0000-0x0000000002123000-memory.dmp

Filesize
268KB

Download
memory/1460-186-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/1460-187-0x0000000002060000-0x00000000020A3000-memory.dmp

Filesize
268KB

Download
memory/1460-185-0x0000000002280000-0x0000000002289000-memory.dmp

Filesize
36KB

Download
memory/1512-139-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/1512-140-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/1512-141-0x0000000002060000-0x00000000020A3000-memory.dmp

Filesize
268KB

Download
memory/2016-160-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/2016-159-0x0000000001F50000-0x0000000001F93000-memory.dmp

Filesize
268KB

Download
memory/2376-184-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/2376-183-0x0000000002290000-0x0000000002299000-memory.dmp

Filesize
36KB

Download
memory/2376-182-0x00000000020E0000-0x0000000002123000-memory.dmp

Filesize
268KB

Download
memory/2668-233-0x0000000002180000-0x0000000002189000-memory.dmp

Filesize
36KB

Download
memory/2668-234-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/2668-235-0x00000000005D0000-0x0000000000613000-memory.dmp

Filesize
268KB

Download
memory/2752-165-0x0000000002060000-0x00000000020A3000-memory.dmp

Filesize
268KB

Download
memory/2752-166-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/2776-237-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/2776-238-0x0000000001FA0000-0x0000000001FE3000-memory.dmp

Filesize
268KB

Download
memory/2776-236-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/3108-225-0x0000000001F30000-0x0000000001F73000-memory.dmp

Filesize
268KB

Download
memory/3108-222-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/3108-226-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/3108-221-0x0000000001F30000-0x0000000001F73000-memory.dmp

Filesize
268KB

Download
memory/3452-134-0x00000000021A0000-0x00000000021E3000-memory.dmp

Filesize
268KB

Download
memory/3452-135-0x00000000023E0000-0x00000000023E3000-memory.dmp

Filesize
12KB

Download
memory/3452-133-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/3452-136-0x00000000023D0000-0x00000000023D9000-memory.dmp

Filesize
36KB

Download
memory/3452-138-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/3528-151-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/3528-150-0x0000000001F80000-0x0000000001FC3000-memory.dmp

Filesize
268KB

Download
memory/3656-228-0x0000000001FF0000-0x0000000002033000-memory.dmp

Filesize
268KB

Download
memory/3656-227-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/4048-213-0x00000000020E0000-0x0000000002123000-memory.dmp

Filesize
268KB

Download
memory/4048-214-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/4048-209-0x00000000020E0000-0x0000000002123000-memory.dmp

Filesize
268KB

Download
memory/4048-210-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/4068-192-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/4068-193-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/4136-174-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/4136-173-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/5088-147-0x0000000001F70000-0x0000000001FB3000-memory.dmp

Filesize
268KB

Download
memory/5088-149-0x0000000020000000-0x000000002004F000-memory.dmp

Filesize
316KB

Download
memory/5088-148-0x00000000022A0000-0x00000000022A9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads